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Abstract 

Temporal Logic Model Checking is a verification method in which we 
describe a system, the model, and then we verify whether some properties, 
expressed in a temporal logic formula, hold in the system. It has many 
industrial applications. In order to improve performance, some tools allow 
preprocessing of the model, verifying on-line a set of properties reusing 
the same compiled model; we prove that the complexity of the Model 
Checking problem, without any preprocessing or preprocessing the model 
or the formula in a polynomial data structure, is the same. As a result 
preprocessing does not always exponentially improve performance. 

Symbolic Model Checking algorithms work by manipulating sets of 
states, and these sets are often represented by BDDs. It has been observed 
that the size of BDDs may grow exponentially as the model and formula 
increase in size. As a side result, we formally prove that a superpolynomial 
increase of the size of these BDDs is unavoidable in the worst case. While 
this exponential growth has been empirically observed, to the best of our 
knowledge it has never been proved so far in general terms. This result not 
only holds for all types of BDDs regardless of the variable ordering, but 
also for more powerful data structures, such as BEDs, RBCs, MTBDDs, 
and ADDs. 

1 Introduction 

Temporal Logic Model Checking [20] is a verification method for discrete sys- 
tems. In a nutshell, the system, often called the model, is described by the pos- 
sible transitions of its components, while the properties to verify are encoded in 
a temporal modal logic. It is used, for example, for the verification of protocols 
and hardware circuits [5|. Many tools, called model checkers, have been devel- 
oped to this aim. The most famous ones are SPIN [35] and SMV [43] (with its 
many incarnations: NuSMV [17 , RuleBase p]), VIS [5], and FormalCheck [5i) . 

There are many languages to express the model; the most widespread ones 
are Promela and SMV. Two temporal logics are mainly used to define the spec- 
ification: CTL ^^U" and LTL In this paper we focus on the latter. 
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In many cases, the two inputs of the model checking problem (the model and 
the formula) can be processed in a different way. If we want to verify several 
properties of the same system, it makes sense to spend more time on the model 
alone, if the verification of the properties becomes faster. Many tools allow to 
build the model separately from checking the formula [161 [S3 HI] . This way, 
one can reuse the same model, compiled into a data structure, in order to check 
several formulae. 

In the same way, we may wish to verify the same property on different sys- 
tems: the property is this time the part we can spend more time on. Many tools 
allow populating a property database [16l [53l |36] , i.e., a collection of temporal 
formulae which will be checked on the models. We imagine a situation in which 
we early establish the requirements that our system must satisfy, even before the 
system is actually designed. As a result, and we can fill a database of temporal 
formulae, but we do not yet describe the system. While the design/modeling 
of the system goes on, we can preprocess the formulae (without knowledge of 
the model, which is not yet known). Whenever the system is specified, we can 
then use the result of this preprocessing step to check the model against the 
formulae. 

In this paper, we analyze whether preprocessing a part of the model checking 
problem instances improve the performances. The technical tool we use is the 
compilability theory [151 139) . This theory characterizes the complexity of prob- 
lems when the problem instances can be divided into two parts (the fixed and 
the varying part), and we can spend more time on the first part alone, provided 
that the result of this preprocessing step has polynomial size respect the fixed 
part. We show that the Model Checking problem remains PSPACE-hard even 
if we can preprocess either the model or the formula, if this preprocessing step 
is constrained to have a polynomial size. These theorems hold for all model 
checkers. 

Finally, we answer to a long-time standing question in Symbolic Model 
Checking [331 |TT] . It has been observed that the BDDs that are used by SMV 
and other Symbolic Model Checking systems become exponentially large in some 
cases. However, it has not yet been established whether this size increase is due 
to the choice of variable ordering, or to the kind of BDDs employed, or it is 
intrinsic of the problem. We show that, if PSPACE ^ IIj fl Eji such a growth 
is, in the worst case, unavoidable. This result is independent from the particular 
class of BDDs and from the variable order of the BDDs. It also holds for all de- 
cision diagrams representing integer-value functions whose evaluation problem 
is in the polynomial hierarchy, such as BEDs [54 , BMD and *BMD 9 , RBCs 
[J, MTBDDs [IHj, and ADDs [5]. 

2 Preliminaries 
2.1 Model Checking 

In this section, we briefly recall the basic definitions about model checking that 
are needed in the rest of the paper. We follow the notation of [371 |3B]. LTL 
(Linear Temporal Logic) is a modal logic aimed at encoding how states evolve 
over time. It has three unary modal operators (X, G, and F) and one binary 
modal operator {U). Their meaning is: Xcj) is true in particular state if and only 
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if the formula 4> is true in the next state; G4> is true if and only 4> is true from 
now on; F4> is true if cj) will become true at some time in the future; (pUip is true 
if ^ will eventually become true and (j) stays true until then. We indicate with 
L{Oi, . . . , On) the LTL fragment in which the only temporal operators allowed 
are Oi, . . . , On', for instance, L{F, X) is the fragment of LTL in which only F 
and X are allowed. 

The semantics of LTL is based on Kripke models. In the following, for 
an 'atomic proposition' we mean a Boolean variable. Given a set of atomic 
proposition, a Kripke structure for LTL is a tuple {Q, R,£, I) , where Q is a 
set of states, i? is a binary relation over states (the transition relation), £ is a 
function from states to atomic propositions (it labels every state with the atomic 
propositions that are true in that state), / is a set of initial states. A run of 
a Kripke structure is a Kripke model. A Kripke model for LTL is an infinite 
sequence of states, where the transition relation links each state with the one 
immediately following it in the sequence. The semantics of the modal operators 
is defined in the intuitive way: for example, F(j) is true in a state of a Kripke 
model if (j) is true in some following state. 

The main problem of interest in practice is to verify whether all runs of 
a Kripke structure (all of its Kripke models) satisfy the formula; this is the 
Universal Model Checking problem. The Existential Model Checking one is to 
verify whether there is a run of the Kripke structure that satisfies the formula. 
In formal verification, we encode the behavior of a system as a Kripke structure, 
and the property we want to check as an LTL formula. Checking the structure 
against the formula tells whether the system satisfies the property. Since the 
Kripke structure is usually called a "model" (which is in fact very different from 
a Kripke model, which is only a possible run), this problem is called Model 
Checking. 

In practice, all model checkers describe a system by the Kripke structure 
of its components. A Kripke structure can be seen as a transition system [5D]. 
Thus the global system is obtained by parallel composition of the transition 
systems representing its components and sharing some variables |42L I20j ; using 
this approach, we can give results valid for all model checkers. 

2.2 Composition of Transition Systems 

Each component of the global system is modeled using a transition system, 
which is a formal way to describe a possible transition a system can go through. 
Intuitively, all is needed is to specify the state variables, the possible initial 
states, and which transitions are possible, i.e., we have to say whether the 
transition from state s to state s' is possible for any pair of states s and s' . The 
formal definition is as follows [42l [20] . 

Definition 1 A finite-state transition system is a triple {V,I,g), where V = 
{xi, . . . , Xn} is a set of Boolean variables, I is a formula over V , and q{V, V) 
is a formula over V U V , where V' = {x'^, ■ ■ ■ , x^} is a set of new variables in 
one to one relation with elememts of V . 

Intuitively, V is the set of state variables, / is a formula that is true on a 
truth assignment if and only if it represents a possible initial state, and g is 
true on a pair of truth assignments if they represent a possible transition of 
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the system. The set of variables V' is needed beeause g must refer to both the 
value of a variable in the current state (xj) and in the next state {x'^). In other 
words, in this formula Xi means the value of Xi in the current state, while a;- is 
the value of the same variable in the next state. For example, the fact that Xi 
remains true is encoded hy g = Xi ^ x'f if Xi is true now, then a;- is true, i.e., 
Xi is true in the next state. 

Formally, a state s is an assignment to the variables; a state s' is successor 
of a state s iff (s, s') \= g{V, V). A computation is an infinite sequence of states 
So, si,S2, ■ ■ ■ , satisfying the following requirements: 

Initiality: so is initial, i.e. sq \= I 

Consecution: For each j > 0, the state sj+i is a successor of the state sj 

For the sake of simplicity, without loss of any generality, we only consider 
Boolean variables and Boolean assertions. 

In order to model a complex system, we assume that each of its parts can 
be modeled by a transition system. Clearly, there is usually some interaction 
between the parts; as a result, some variables may be shared between the tran- 
sition systems. In the following, we consider k transition systems Mi, . . . , Mk- 
Every M, is described by {{V/- U Vf), I^{V,), g^{V,,V/)) for i 1 < i < fc where 
Vj^ is the set variables local to Mi, Vf is the set of shared variables of Mj, 
and Vi = V/" U Vf . A group of transition systems can be composed in differ- 
ent ways: synchronous, interleaved asynchronous, and asynchronous. The third 
way is not frequently used in Model Checking, so we only define the first two 
ways of composition. In the following, a process is any of the transition systems 
Mi. 

The synchronous parallel composition of k transition systems is obtained 
by assuming that the global transition is due to all processes Mi making a 
transition simultaneously. In other words, all processes must make a transition 
at any time step, and no process is allowed to "idle" at any time step. 

Definition 2 The synchronous parallel composition of processes Mi, . . . ,Mh, 
denoted by Mi\\ . . . \\Mk, is the transition system M = {V,I, g) described by: 

v = [jUVi m=NUm) 

Q{V,V') = ^\^,g,{V,,V|) 

The basic idea of the interleaved asynchronous parallel composition is that 

only one process is active at the same time. As a result, a global transition can 
only result from the transition of a single process. The variables that are not 
changed by this process must maintain the same value. 

Definition 3 The interleaved asynchronous parallel composition of Mi, . . . , Mk 
is the transition system M = {V, I, g) : , where V and I are as in the synchronous 
composition and g is: 
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q{v. V) = Vli t (^., VI) A A'- v,^ = vt' 



The interleaved asynchronous parallel composition of Mi , . . . , Alk , is denoted 
by Mi\...\Mk. 

A model can be described as the composition of transition systems. As a re- 
sult, we can define the model checking problem for concurrent transition systems 
as the problem of verifying whether the model described by the composition of 
the transition systems satisfies the given formula. 

2.3 Complexity and Compilability 

We assume that the reader knows the basic concepts of complexity theory [48j 
[5T] . What we mainly use in this paper are the concepts of polynomial reduction 
and the class PSPACE. 

The Model Checking problem is PSPACE-complete, and is thus intractable. 
On the other hand, as said in the Introduction, it makes sense to preprocess 
only one part of the problem (either the model or the formula) , if this reduces 
the remaining running time. The analysis of how much can be gained by such 
preprocessing, however, cannot be done using the standard tools of the poly- 
nomial classes and reductions. The compilability classes [TS] have to be used 
instead. 

The way in which the complexity of the problem is identified in the theory 
of NP-completeness is that of giving a set of increasing classes of problems. If 
a problem is in a class C but is not in an inner class C, then we can say that 
this problem is more complex to solve that a problem in C. A similar charac- 
terization, with similar classes, can be given when preprocessing is allowed. For 
example the class ||^P is the class of problems that can be solved in polynomial 
time after a preprocessing step. Crucial to this definition are two points: 

1. which part of the problem instance can be preprocessed? 

2. how expensive is the preprocessing part allowed to be? 

The first point depends on the specific problem and on the specific settings: 
depending on the scenario, for example, we can preprocess either the model or 
the formula for the model checking problem. The second question instead allows 
for a somehow more general answer. First, we cannot limit this phase to take 
polynomial time, as otherwise there would be no gain in doing preprocessing 
from the point of view of computational complexity. Second, we cannot allow 
the final result of this part to be exponentially large, for practical reasons; we 
bound the result of the preprocessing phase only to take a polynomial amount 
of space. 

In order to denote problems in which only one part can be preprocessed, we 
assume that their instances are composed of two parts, and that the part that 
can be preprocessed is the first one. As a result, the model checking problem 
written as (M, </>) indicates that M can be preprocessed; written as {(j>, M) 
indicates that </> can be preprocessed. 
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The "complexity when preprocessing is aUowed" is estabhshed by charac- 
terizing how hard a problem is after the preprocessing step. This is done by 
building over the usual complexity classes: if C is a "regular" complexity class 
such as NP, then a problem is in the (non-uniform) compilability class |^^C if 
the problem is in C after a preprocessing step whose result takes polynomial 
space. In other words, ||^C is "almost" C, but preprocessing is allowed and will 
not be counted in the cost of solving the problem. More details can be foimd in 

m- 

In order to identify how hard a problem is, we also need a concept of hard- 
ness. Since the regular polynomial reductions are not appropriate when prepro- 
cessing is allowed, ad-hoc reductions (called nu-comp reductions in I15j) have 
been defined. 

In this paper, we do not show the hardness of problems directly, but rather 
use a sufficient condition called representative equivalence. For example, in 
order to prove that model checking is ||^PSPACE-hard, we first show a (regular) 
polynomial reduction from a PSPACE-hard problem to model checking and then 
show that this reduction satisfies the condition of representative equivalence. 

Let us assume that we know that a given problem A is ||^C-hard and we 
have a polynomial reduction from the problem A to the problem B. Can we 
use this reduction to prove the ||^C-hardness of _B ? Liberatore shows 
sufficient conditions that should hold on A as well as on the reduction. If all 
these conditions are verified, then there is a nucomp reduction from *A to B, 
where *A = {{x, y) \y S A], thus proving the [|^C-hardness of B. 

Definition 4 (Classification Function) A classification function for a prob- 
lem A is a polynomial function Class from instances of A to nonnegative inte- 
gers, such that Class{y) < \ \y\\. 

Definition 5 (Representative Function) A representative function for a prob- 
lem A is a polynomial function Repr from nonnegative integers to instances of 
A, such that C I ass {Repr (n)) = n, and that \\Repr{n)\\ is bounded by some 
polynomial in n. 

Definition 6 (Extension Function) An extension function for a problem A 
is a polynomial function from instances of A and nonnegative integers to in- 
stances of A such that, for any y and n > C'lass{y), the instance y' = Exte[y, n) 
satisfies the following conditions: 

1. y € A if and only if y' € A; 

2. Class{y') = n. 

Let us give some intuitions about these functions. Usually, an instance of a 
problem is composed of a set of objects combined in some way. For problems 
on boolean formulas, we have a set of variables combined to form a formula. 
For graph problems, we have a set of nodes, and the graph is indeed a set of 
edges, which are pairs of nodes. The classification function gives the number of 
objects in an instance. The representative function thus gives an instance with 
the given number of objects. This instance should be in some way "symmetric" , 
in the sense that its elements should be interchangeable (this is because the 
representative function must be determined only from the number of objects). 
Possible results of the representative function can be the set of all clauses of 
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three literals over a given alphabet, the complete graph over a set of nodes, the 
graph with no edges, etc. Let for example A be the problem of propositional 
satisfiability. We can take Class(F) as the number of variables in the formula 
F, while Repr{n) can be the set of all clauses of three literals over an alphabet 
of n variables. Finally, a possible extension function is obtained by adding 
tautological clauses to an instance. Note that these functions are related to the 
problem A only, and do not involve the specific problem B we want to prove 
hard, neither the specific reduction used. We now define a condition over the 
polytime reduction from A to B. Since B is a problem of pairs, we can define a 
reduction from ^ to i? as a pair of polynomial functions (r, h) such that x (z A 
if and only if {r{x), h{x)) G B. 

Definition 7 (Representative Equivalence) Given a problem A (having the 
above three functions), a problem of pairs B, and a polynomial reduction {r,h) 
from A to B , the condition of representative equivalence holds if for any in- 
stance y of A, it holds: 

{r{y),h{y)) eB iff {r{Repr{Class{y)),h{y)) e B 

The condition of representative equivalence can be proved to imply that the 
problem B is |^C-hard, if A is C-hard [35] ■ As an example, we show these 
three functions for the PLANS AT^ problem. PLANS AT^ is the following 
problem of planning: giving a STRIPS [55^ instance y = {P, O, I, G) in which the 
operators have an arbitrary number of preconditions and only one postcondition, 
is there a plan for yl PLANSAT^ is PSPACE-Complete [T2]. Without loss of 
generality we consider y = (P, OUoq, /, G), where oq is a operator which is always 
usable (it has no preconditions) and does nothing (it has no postconditions). We 
use the following notation: P — {a;i, . . . , x„}, / is the set of conditions true in 
the initial state, G = {A4,N'). A state in STRIPS is a set of conditions. In the 
following we indicate with 0'' the hth. positive precondition of the operator Oi, 
with (pi all its the positive preconditions, with yyf its hth negative precondition, 
and with rji all its negative preconditions; is the positive postcondition of 
the operator Oi, /3i is the negative postcondition of the operator o^. Since any 
operator has only one postcondition, for every operator i it holds that ||aiU/3i || — 
1. 

Since we shall use them in the following, we define a classification function, 
a representative function and a extension function for PLAN SATi'. 

Classification Function: Class{y) — \\P\\. Clearly, it satisfies the condition 
Classiy) < \\y\\. 

Representative Function: Reprin) = (P„, 0,0,0), where P„ = {xi, . . . , a;„}. 
Clearly, this function is polynomial and satisfies the following conditions: 
(i) Class(Repr(n))=n, (ii) ||Pepr(n)|| < p{n) where p(n) is a polynomial. 

Extension Function: Let y = (P, O, I, G) and y' = Exte{y, n) = {Pn, O, I, G). 
Clearly for any y and n s.t. n > Class{y) y' satisfies the following condi- 
tions: {i)y e A iS y' £ A, (n) Class{y') = n. 

Given the limitation of space we cannot give the full definitions for compil- 
ability, for which the reader should refer to [15] for an introduction, to [Mj [13] 
for an application to the succinctness of some formalisms, to |39' for further 
applications and technical advances. 
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3 Results 



The Model Checking problem for concurrent transition systems is PSPACE- 
complete [37;. In Section lOl we prove that the following problems are ||^PSPACE- 
hard, which implies that they remain PSPACE-hard even if preprocessing is 
allowed. 

1. model checking on the synchronous and interleaved asynchronous compo- 
sition of transition systems, where the transitions systems are the fixed 
part of the problem and the LTL formula is the varying part; 

2. the same problem, where the LTL formula is the fixed part and the tran- 
sition system is the varying part; 

3. given a set of transition systems and a formula as the fixed part, a state 
as the varying part, checking whether the state is a legal initial state. 

We can conclude that preprocessing the model or the formula does not lead 
to a polynomial algorithm for model checking. We recall that the fixed part is 
preprocessed off-line in a polynomial data structure during the preprocessing 
phase, and the varying part is given on-line. 

The relevance of the first two problems is clear; in formal verification, it 
is often the case that many properties (formulae) have to be verified over the 
same system (the model, in this case modeled by the transition systems); on the 
other hand, it may also be that the same property has to be verified on different 
systems. 

The result about the third problem is less interesting by itself. On the other 
hand, we use it to prove that the superpolynomial growth of the size of the 
data structures (e.g. OBDDs) currently used in model checkers based on the 
Symbolic Model Checking algorithms [33] (such as SMV and NuSMV) cannot 
be avoided in general. The result is independent from its variable ordering, and 
it holds for others data structures that can be employed. We show these results 
in Section [XH 

We point out that most of Temporal Logic Model Checking algorithms [20] 
fall in one of three classes: Symbolic Model Checking algorithms, which work on 
symbolic representation of M\ algorithms based on Bounded Model Checking 
[7] (i.e. based on reduction from Model Checking into SAT); algorithms that 
work on an explicit representation of M (e.g. 32 ). Our results concerning the 
size of the BDD (or some other decision diagrams) are valid for all algorithms 
of the first class. 

In the proofs of the following sections we consider Existential Model Check- 
ing problems, but the results are valid also for the Universal case; in fact 
PSPACE is closed under complementation also for compilability. 

3.1 Preprocessing Model Checking 

We now identify the complexity of the Model Checking problem when the pre- 
processing of the model (represented as the composition of transition systems) 
is allowed, both in the synchronous and in the interleaved case. 
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Theorem 1 The model checking problem for k synchronous concurrent process 
MCsyn — ((-^-^ill • ■ • l|-^fe)j v) where </? G LTL is ||^PSPACE-/iar(i, and remains 
|^v^PSPACE-/iard for if&L{F,G,X). 

Proof. It is similar to the proof of the Theorem [5J We carry out a reduction 
from the PLAN SAT* problem, that satisfies the conditions of representative 
equivalence; the main difference is about the LTL formula. □ 

We now consider the Model Checking problem for concurrent processes com- 
posed in a interleaved way when the model can be preprocessed. 

Theorem 2 The model checking problem for k interleaved concurrent process 
MCasyn = {{Mi\ . . .\Mk) , if) whcrc if G LTL is \y^PSP AGE- complete, and 
remains |^PSPACE-/iard for tp £ L{K G, X). 

Proof. We show a reduction, that translates an instance y G PLANS AT^ 
into an instance {r{y),h(y)) G Masyn, satisfying the condition of representative 
equivalence. Given y = (P, O, J, G) G PLANSAT^ 

- r{y) defines a concurrent transition systems Mi, . . . ,M„, where each Mi 
is obtained from a variable Xi G P and it is described by: 

0^{V^, VD = (x, = A = 0) V (x, = A = 1) V 
(xi = 1 A = 0) V [xi = 1 A = 1) 

The process M = Mi\\ . . . ||M„ represents all possible computations, start- 
ing from all possible initial assignments, over the variables xi, . . . , x„. 

- h{y) - h{I, G, O) = -(0/ A (/-G A M 
where: 

fi = /\Xi A /\ -iXi 

(PG ^ F{ /\ X, A A -'2^0 

rn HA\ WViW n 

= G V [ A 0.'' A A ^4 A X^, A A {x, <^ Xx,)] 

i=0 h=l h=l 

J = l 

where 

_ f ai if cii ^ 
~ \ -A if A 

if I adds constraints about the initial states of y represented by L 

ipG adds constraints about the goal states of y represented by G: it tells that 
a goal state will be reached. 

tfo describes the operators in O: globally (i.e. in every state) one of the 
operators must be used to go in the next state; ipo also describes the nop 
operator oq. 
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Now, wc prove that y e PLANS AT^ iff {r{y),h{y)) G Masyn- Given y = 
{P,0,I,G), a solution for y is a plan which generates the following sequence 
of states: (si, . . . , Sp) where si is an initial state and Sp is a goal state. This 
sequence of states is obtained applying a sequence of operators {oh-n ■ ■ ■ ,Ohp) 
chosen in O = {oi, . . . ,0m} in the following way: for all i s.t. 1 < i < p, 
preconditions for are included in the state s,, and the state Sj+i is obtained 
from the state Si modifying the postcondition associated with Ohi- We remark 
that a state in STRIPS is the set of conditions. 

The model M = r{y) = r{P) represents all possible traces starting from 
all possible initial configurations, over the variables xi, . . . , x„. Thus, in this 
case the Existential Model Checking problem (M, cp) reduces to the satisfiability 
problem for y>: we check whether ther exists a trace among all traces over the 
variables xi,...,Xn that satisfies the LTL formula (p. Therefore, we have to 
prove that y € A iS (f = h{y) is satisfiable: 

=>. Given a solution for y G A, we identify a model for ip = h{y); by 
construction such a model has: 

- initial state sf^ s.t. £{si) = / U {^Xi\xi ^ /} 

- a state s.t. e{sp) CMU {-'Xtlxi ^ Af} 

- given a state sf^ , sf^i is successor of sf iff 

- i{sf^) C Precond{ohi), where Precond{ohi) = {xj\xj G <phi} U 

{^xj\xj e Tjh,} 

where at is the positive postcondition of and ft- is the negative 
postcondition of o/( . . 

- an infinite number of states: when the state Sp is reached this state is 
repeated for at least once or for ever (applying the nop operator oq), or it 
is possible, it depends from y, to apply any operators whose preconditions 
are satisfied by i{s^). 

<=. Let (sf^, . . . , , . . .) a model for <f, and let Sp the goal state, that the 

first state satisfying ipo- Wc obtain the sequence of states visited by a plan which 
is a solution for y, by cutting the states after the goal state Sp and assigning 
Si = £{sf^); thus this sequence of states (si, . . . , Sp), associated with the plan, 
has by construction: 

- initial state si s.t. si = / U {-^Xi\xi ^ /} 

- a state Sp s.t. Sp C u {^Xi\xi ^ Af} 

- given a state s,, Sj+i is successor of s, iff 

- Si C Precond{ohi) 

- Sj+i = Sj U aj — ft 

where ai is the positive postcondition of Ohi and ft- is the negative 
postcondition of Oh^ ■ 
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Now we show the complexity results, both in the synchronous and in the 
interleaved case, when the formula can be preprocessed. 

Theorem 3 The model checking problem for k synchronous concurrent process 
MCiy„ = ... ||Mfe)) where (p e LTL is \[^FSPACE-complete, and 

remains \\^PSPACE-hard for ip £ L{F, G, X). 

Proof. PLANS ATI is the following problem of planning: giving a STRIPS [55] 
instance y = (P, O, /, G) in which the operators have an arbitrary number of 
preconditions and only one postcondition, is there a plan for yl PLANS AT^ 
is PSPACE-complete [T2]. Without loss of generality we consider y — {P,0 U 
Oo, /, G), where Oq is a operator which is always usable (it has no preconditions) 
and does nothing (it has no postconditions). We use the following notation: 
P = {xi, . . . , x„}, / is the set of conditions true in the initial state, G = {M,JV). 
A state in STRIPS is a set of conditions. 

In the following we indicate with (/)^ the hth positive precondition of the 
operator Oi , and with rj^ the hth negative precondition of the operator Oi ; is 
the positive postcondition of the operator Oi, (3i is the negative postcondition 
of the operator Oi. Since any operator has only one postcondition, for every 
operator i it hold that U /3i|| = 1. 

We show a polynomial reduction from the problem A to the problem B 
that satisfies the condition of representative equivalence. This proves that B 
is I^C-hard, if A is C-hard; to apply this condition we must define a Clas- 
sification Function, a Representative Function and a Extension Function for 
A. Thus we use such a proof schema: we define a Classification Function, a 
Representative Function and a Extension Function for PLANS AT*, then we 
show a polynomial reduction from an instance y S PLANS AT* to an instance 
{r{y), h{y)) £ MC'^yn that satisfies the condition of representative equivalence. 

Let y = {P, O, I, G) G PLANSAT^. We define r and h as follows: 



r(y)=r(P) = -{F(x,)AGA:U 



^{xi ^ Xxi) {xj o Xxj] 



h{y) defines the transition systems Mi\\ . . . \\Mk- The generic Mi is ob- 
tained from the operators Oi-^, . . . , Oi^, whose postcondition involves the 
variable Xi € P; di is the number of such operators. We add the variable 
Xg; thus we have at most as many processes as variables: if k is the number 
of variables used as postcondition of operators plus one, we have k < n+l. 
Let Mfe the process associated with the variable Xg; this variable is at 
the beginning and it becomes 1 only when the goal of the PLANS AT 
problem is reached. Mi, for i s.t. 1 < « < fc, is defined by: 



-^Xi 



where 6, 



h=l h=l 

1 if Q!i^, 7^ 
if A. 7^1 
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The process is defined by: 

Vk = {Xg} 

h{V) = {xg=0) 

Now we prove that this reduction is correct, i.e. y £ PLAN SAT* iff 

{T{y)My))^MC'sYN- 

Given a solution for y E PLAN S ATI , show a path of M which 

satisfies ip (r(y) defined above). 

A solution for y is a plan which generates the following sequence of states: 
(si, . . . , Sp) where si is a initial state and Sp is a goal state. This sequence of 
states is obtained by applying a sequence of operators (o/^ , . . . , Oh^). 

By construction M admits a path (sf^ , . . . , s*^, Sp+i, ■ . • ) s.t.: 

- e{sf^) ^ Si U^Xg for il <i <p 

~ ^i^p+l) — SpD Xg 

This path satisfies ip: 

- if does not constrain about the initial state, therefore every initial state 
of the model is legal; 

- Xg C f(sp^j), therefore F{xg) is true; 

- the path shown is s.t. only one variable change at a time, therefore the 
subformula under the Globally is true. 

Given a path of M which satisfies Lp, we show a solution for y G 
PLANS ATI . 

The path is a sequence {sf^ , . . . , s^' , s^^^, . . . ). We can obtain the sequence of 
states visited by a plan for y in this way: 

- Si = t{sf) - {^Xg} for i 1 < i < p; 

- we ignore the rest of the path of M. 

□ 



Theorem 4 The model checking problem for k interleaved concurrent process 
MC'^^y^ ^ {ip,{Mi\...\Mk)) where p £ LTL is \\^PSPACF,-complete, and 
remains SPACE -hard for p e L{F). 

Proof. We carry out a reduction from the PLANS AT* problem, that satisfies 
the conditions of representative equivalence. The proof is similar to the proof 
of the Theorem H □ 

Now we introduce the decision problem MCgg = {[M,(p],So), where M is 
specified by the interleaved parallel composition of k transition systems Mi, . . . , Mk, 
p £ L{F), and Sq is a specific state. MCgg is true if the model checking prob- 
lem for concurrent transition system (Af, p) has solution and sq is a legal initial 
state i.e., is an initial state belonging to M that satisfies p. 
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Theorem 5 MCs„ is \\^PSPACE-complete. 



Proof. The hardness foUows from a polynomial time reduction from the prob- 
lem {{P,0,G),I), that can be easily shown j^PSPACE-complete on the basis 
of the results in [ID] . 

We sketch the reduction. We encode each operator in O into each process 
Mi, and the goal G into the formula (p. We encode the set of initial states / 
using So- □ 



3.2 The Size of BDDs 

In this section we prove that the size of BDDs and others data structures in- 
creases superpolynomially with the size of the input data, in the worst case, 
when are used in a Symbolic Model Checking algorithm. 

Let M a model specified by k concurrent transition systems Mi,...,Mfc, 
and let (p an LTL (or a CTL or CTL*) formula. 

Theorem 6 // PSPACE ^ n S^, then there is not always a BDD of any 
kind and with any variable order that is polynomially large and represents the 
set of initial states consistent with M and ip. 

Proof. The evaluation problem for any kind of BDD, i.e. giving a BDD and an 
assignment of its variables evaluate the BDD, is in P . If there exists a poly-size 
BDD representing the set of initial states consistent with M and (p, then we 
can compile M and in the BDD and evaluate the assignment (representing 
a initial state) in polynomial time. This implies that MCgg is in \[^P. We 
know from Theorem [5] that MCs„ is ||^PSPACE-complete. Therefore if such a 
BDD exists, then |^-^PSPACE=||^P. Now, by applying Theorem 2.12 in [15], 
we conclude that there is no poly-size reduction from MCsq to the evaluation 
problem for a BDD, if PSPACE 2 n^nEf. □ 

Symbolic Model Checking algorithms work by building a representation of 
the set of the initial states of M that satisfy ip. In particular, this set is repre- 
sented by BDDs. Therefore, the last theorem proves that these algorithms, in 
the worst case, end up with a BDD of superpolynomial size. This result does 
not depend on the kind of BDD used (free, ordered, etc.) and on the variable 
ordering. On the contrary, it holds also when the states are labeled with enu- 
merative variable; in other words it holds not only for BDD but also for any 
decision diagram, provided that the evaluation problem over this representation 
of the states is in a class of the polynomial hierarchy. More formally, we consider 
an arbitrary representation of a set of states. The evaluation problem is that of 
determining whether a state belongs to a set. 

Theorem 7 Given a method for representing a set of states whose evaluation 
problem is in a class of the polynomial hierarchy, it is not always possible to 
represent in polynomial space the set of legal initial states of a model M and a 
formula p, provided that S^_|_j^ ^ ^i+i- 

The proof of this theorem has the same structure of the proof of the Theorem 

ISl 



13 



Instances of such data structures, currently used in Symbolic Model Check- 
ing tools, are BDDs, Boolean Expression Diagrams (BEDs) [54] and Reduced 
Boolean Circuits (RBCs) [T]. Our results hold also for data structures used to 
represent integer- value functions, like Multi terminal binary decision diagrams 
(MTBDDs) [H], Algebraic Decision Diagrams (ADDs) [2]; see for details the 
survey pS] . 

On the other hand, it is also possible to prove that the above two theorems 
cannot be stated unconditionally: indeed if P = PSPACE, then there is a data 
structure of polynomial size allowing the representation of the set of initial states 
in such a way deciding whether a state is in this set can be decided in polynomial 
time. As a result, the non-conditioned version of the above two theorems implies 
a separation in the polynomial hierarchy. 

4 Related Works 

Some works in the literature are related to the results in this article: 

1. the exponential growth of the BDD size respect to a particular problem 
(e.g. integer multiplication [ID]); some results concern the size growth of 
other decision diagrams [5S] respect to particular problems. While these 
results are not conditional to the collapse of the polynomial hierarchy as 
the ones reported in this paper, they are also more specific, as they concern 
only specific kinds of data structures (e.g. OBDDs) respect to particular 
problems (e.g. integer multiplication). 

2. the complexity of model checking: 

(a) the parametrized complexity |24| of a wide variety of model checking 
problems [23j . analyzing the state explosion problem; 

(b) it has been shown that ^5] : 

i. the complexity of model checking does not decrease under the 
ipotheses of some structural restrictions (e.g. treewidth) in the 
input. 

ii. despite a CNF formula of bounded treewidth can be represented 
by an OBDD of polynomial size, the nice properties of treewidth- 
bounded CNF formulas are not preserved under existential quan- 
tification or unrolling, that is a basic operation of model checking 
algorithms. 

(c) the compilability of the model checking problem |27j : it remains 
PSPACE-complete even if a part of the input, either the implicit 
model or the formula, is preprocessed using any amount of time and 
storing the result of this prerpocesing step in a polynomial-sized data 
structure. 

3. the theoretical limitations of Symbolic Model Checking. The state explo- 
sion problem can be partially explained by complexity theoretic results 
[l9] ; in fact, problems (also whose inputs are graphs), usually increase 
their worst case complexity when the input is represented by BDD or other 
Boolean formahsms [ia[^|lllllllllllli[5ni[ill[il[3a. Moreover, a 
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classic information theoretic argument shows that only a small fraction of 
all finite Kripke structures can be exponentially compressed [55] . 

4. succinctness of languages; for instance 2h, in which succinctness of lan- 
guage for preferences are discussed, and |22j that presents results on the 
succinctness of several formalism, including BDDs and CNF. 
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